The Best Damn Firewall Book Period

Secure Sockets Layer (SSL) is a protocol that can be used to manage the security of Internet communications. SSL operates between HTTP at the Application layer and TCP at the Transport layer. Although it was originally developed by Netscape for secure communications with their browser, SSL is now included in both Netscape Communicator and Microsoft Internet Explorer browser software. SSL uses public key encryption and digital certificates to ensure secure communications.

SSL is used not only for Web services, but you can also use it for mail services (POP3 and IMAP) as well as other TCP based applications. Stunnel is a universal SSL wrapper, and can be used with applications like Telnet and FTP. Stunnel can be found at www.stunnel.org

However, many UNIX systems use Secure Shell (SSH) instead of Telnet or FTP over SSL to encrypt network logins. The most common version of Secure Shell in use is OpenSSH, but there are commercial solutions available. OpenSSH is available at www.openssh.org.

Testing Security

It is far, far better to test your own security and find holes than for a hacker to find them for you. An effective security program includes regular vulnerability assessments and penetration testing as well as updates to your risk assessment when there are significant changes to the business or the technology. For example, initiating extranet links to business partners or starting to provide remote broadband access to employees should be accompanied by an updated risk profile that identifies the risks of the new activity and the component threats, prioritized by probability and severity. This testing identifies the components that have to be better secured and the level of effort required.

Things that have to be tested or checked include:

• Security policy compliance, including things like password strength

• System patch levels

• Services running on systems

• Custom applications, particularly public-facing Web applications

• New servers added to the network

• Active modems that accept incoming calls

A multitude of tools, both freeware and commercial off-the-shelf tools, are available to perform security testing. Some freeware tools include:

• Nmap (www.insecure.org/nmap/) Nmap is one of the most commonly used network and port scanning tools, used by hackers and security professionals alike. It has the ability to "fingerprint" the operating system of the target host by analyzing the responses to different types of probes.

• Nessus (www.nessus.org) Nessus is a powerful, flexible vulnerability-scanning tool that can test different target platforms for known holes. It consists of a server process that is controlled by a separate graphical user interface (GUI). Each point of vulnerability is coded via a plug-in to the Nessus system, so new vulnerabilities can be added and tested.

• whisker (http://sourceforge.net/projects/whisker/) whisker is a collection of PERL scripts used to test Web server CGI scripts for vulnerabilities, a common point of attack in the Web environment.

• Security Auditor's Research Assistant (www-arc.com/sara/) SARA is a third-generation UNIX-based security assessment tool based on the original SATAN. SARA interfaces with other tools such as nmap and Samba for enhanced functionality.

• L0phtCrack (www.atstake.com/research/lc/) L0phtCrack is used to test (crack) Windows NT passwords. It is a good tool to look for weak passwords.

Commercial tools include:

• ISS Internet Scanner (www.iss.net) Internet Scanner is used to scan networks for vulnerabilities. ISS also makes scanners specifically for databases, host systems, and wireless networks.

• Symantec Enterprise Security Manager (www.symantec.com) ESM helps monitor for security policy compliance.

• PentaSafe VigilEnt Security Manager (www.pentasafe.com) VigilEnt assesses for vulnerabilities across an enterprise with easy-to-use reporting.

In addition to testing security yourself, it is good practice to bring in security experts that are skilled in vulnerability assessments and penetration testing. These experts (sometimes known as ethical hackers) conduct attacks in the same manner as a hacker would, looking for any holes accessible from the outside. They are also able to conduct internal assessments to validate your security posture against industry best practices or standards such as the Common Criteria (http://csrc.nist.gov/cc/) or ISO17799. Internal assessments include interviews with key staff and management, reviews of documentation, and testing of technical controls. A third-party review potentially provides a much more objective view of the state of your security environment and can even be useful in convincing upper management to increase IT security funding.